>> No one can turn off auditd unless they are root. Do you have >> untrusted root users? > >We do not have untrusted root users, the problem is we are trying to >audit ourselves and do it in a way that we could not easily >circumvent You will likely need to use the realtime interface and write a program that moves the data to another machine. I will be writing one in a couple months, but in the meantime everyone has to cobble together their own solution. Otherwise they can just do auditctl -e 0 and you are done. >If i wanted to excluded the following > >type=SYSCALL msg=audit(1154617819.471:67475): arch=c000003e syscall=2 >success=yes exit=3 a0=2aaaac31f8e9 a1=0 a2=1b6 a3=0 items=1 pid=25561 >auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 >tty=(none) comm="sshd" exe="/usr/sbin/sshd" >subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 > > >-a exclude,always -F msgtype=SYSCALL > -a exit.always -F uid=0 > -a entry,always -F uid=0 > >Is this correct ? These are 3 different rules that form an OR condition. What will happen is SYSCALL records in the event will be thrown away, any syscall with uid 0 will be recorded, and a redundant rule will try to do the same thing. >or can i do something >- -a exit, No. > What are you really trying to record? > >Trying to record when people access particular files , which i have >been looking at the auditctl -w but the examples do not work in the >documentation You have to have the 2.6.18 kernel to get this to work. Otherwise you are limited to using -F devmajor=xx -F devminor=yy >such as (found in capp.rules) > > -w /var/log/audit/ -k LOG_audit The above works for 2.6.18 kernel. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
